Hacker attack and defense battle Windows clone attacks and precautions 1th/2 Page _ Security settings

Source: Internet
Author: User
With the development of computer technology and the popularization of computers, there are large and small "hacker" website and more and more simple tools, so that the current attacks become increasingly frequent, the computer or server embedded Trojans are more and more, at the same time the security awareness of the system administrator is also improving, plus anti-virus software development, The life cycle of the Trojan Horse is also getting shorter, so the attacker, after acquiring the control of the server, usually uses the clone user or installs the shift back door to conceal his own purpose, and I will introduce some common clone users and check whether there is a clone user and the method of elimination.

The principle and harm of cloning account

1. The principle of cloning account

In the registry, there are two SID relative markers that hold the account, one is the subkey name under the registry hkey_local_machine\sam\amdomains\accountusers, and the other is the value of the subkey F of the subkey. But Microsoft has made a mistake in not synchronizing them, using the latter when logging in, using the former when querying. When using the "F" of the administrator to cover the other account of F, it caused the account is administrator rights, but the query or the original state of the situation, this is called the clone account.

Security little knowledge: SID is the security Identifiers, the unique number that identifies users, groups, and computer accounts. The first time the account is created, a unique SID is released for each account on the network. Internal processes in Windows 2000 will refer to the SID of the account and not to the user or group name of the account. If you create an account, delete an account, and then create another account with the same username, the new account will not have the power or authority to authorize the previous account because the account has a different SID number.

2. The harm of cloning account

When the system user is cloned, with Terminal Services, it is tantamount to opening a hidden backdoor to attackers, allowing attackers to enter your system at any time, a door you cannot see because it relies on Microsoft's Terminal Services and does not release virus files, so it will not be killed by antivirus software.

Second, the common methods of cloning users

1. Manual Cloning Method One

In Windows 2000/xp/2003 and Windows NT, the SID of the default administrator account is fixed (0X1F4), so we can clone the SID 500 account with an existing account in the machine, where we choose the account number IUSR_ Xodu5ptt910nhoo (Xodu5ptt910nhoo) is the name of the server machine that has been breached. In order to enhance the concealment, we chose this account, all users can use the following methods, but this user is more common just.

One of the tools we'll use here is psexec, a lightweight Telnet replacement that allows you to perform processes on other systems without having to manually install the client software and gain complete interactivity with console applications. One of the most powerful features of PsExec is the launch of an interactive command prompt window in remote systems and remote support tools (such as IpConfig) to display information about remote systems that cannot be displayed in other ways.
Execution: psexec-i-s-d cmd runs a system cmd Shell, as shown in Figure 1.

Figure 1

Get a cmd shell with system privileges and run "regedit/e admin.reg hkey_local_machine\sam\sam\domains\account\users\" inside the cmd shell. 000001F4, so we export the information about the administrator account for the SID (0x1f4), as shown in Figure 2.

Figure 2

Then edit the Admin.reg file to modify "1F4" in the third line of the Admin.reg file to IUSR_ Xodu5ptt910nhoo SID, modify "1f4" in the file to "3EB", as shown in Figure 3.

Figure 3

After saving, then execute the following command: "regedit/s admin.reg", import the Admin.reg file, finally execute the net user Iusr_xodu5ptt910nhoo n3tl04d command, modify the IUSR_ The Xodu5ptt910nhoo password is n3tl04d. It is recommended that the best use of 14-bit password, that is, the more like Iusr_xodu5ptt910nhoo password better, now, you can use Iusr_xodu5ptt910nhoo password for n3tl04d remote logins, and the same configuration as the administrator environment! As shown in Figure 4.

Figure 4

Note: The SID of the Iusr_machine user in most machines is 0x3e9 (if the machine did not have IIS installed at the time of the initial installation, but it may not be the value to install IIS after it was created), if unsure, you can use:
The "regedit/e sid.reg hkey_local_machine\sam\sam\domains\account\users\names\iusr_machine" command leads out of the registry, You can then edit the Sid.reg file to see the SID as "3EB", as shown in Figure 5.

Figure 5

2. Manual Cloning Method Two

Another way to clone an account is to run Regedt32.exe first, expand the registry to Hkey_local_machine\sam\sam, and then click edit → permissions on the menu bar (Windows 2000 is the "security" → "permission" of the menu bar) that pops up Sam's Permissions window, click Administrators, check the window to allow Full Control, (Windows 2000 is in the window to check "Allow inheritable permissions from parent to propagate to this object") and click "OK" button. As shown in Figure 6.

Figure 6

To find Hkey_local_machine\sam\sam\domainsaccount\users\00001f4, double-click the "F" item in the right window, as shown in Figure 7.

Figure 7
Select the entire content, then click the right mouse button to select "Copy", and then open the HKEY_LOCAL_MACHINE\SAM\SAM\DOMAINSACCOUNT\USERS\00003EB under the item F, paste just copied the content, so that we will IUSR_ Xodu5ptt910nhoo account cloned into an administrator, and then the SAM directory to delete the permissions to avoid being found.

3. Using MT cloning

Mt.exe is a very powerful network tool, it mainly executes in the command line, you can open System services, check users and directly display user login password. It is like a double-edged sword, intruders and system administrators have to use it, but because it is often used by intruders, so many anti-virus software listed as a virus.
A detailed test report on MT can be read to Http://www.antian365.com/bbs/viewthread.php?tid=2786&extra=page%3D1&frombbs=1. The use of cloned users is as follows:
Mt-clone
such as: Mt-clone adminstrator Iusr_xodu5ptt910nhoo
As shown in Figure 8.

Figure 8
It is to clone the Admin account administrator as Iusr_xodu5ptt910nhoo account. Finally, execute the net user Iusr_xodu5ptt910nhoo n3tl04d command, and modify the Iusr_xodu5ptt910nhoo password to n3tl04d.

4. Using AIO clones

AIO (all in one) is a "tool" written by Wineggdrop that integrates a number of gadgets, including cloning users, modifying the startup type of the service, deleting system accounts, checking system-hidden services, port scans, port forwarding, and so on.

The use of Aio cloning is simple: aio.exe-clone normal account to be cloned account password
such as: Aio.exe-clone Administrator Iusr_xodu5ptt910nhoo n3tl04d
This allows you to log on as an administrator with iusr_xodu5ptt910nhoo\n3tl04d.
As shown in Figure 9.

Figure 9

5. Using a CA clone

Ca.exe Small Banyan wrote a remote cloning account tool, of course, local cloning is no problem.
Use the following: CA \\IP address Administrator username Admin Password cloned user password
such as: CA \\127.0.0.1 Administrator 123456 Iusr_xodu5ptt910nhoo 123456
As shown in Figure 10.

Figure 10

6. Create a hidden account

The tool that needs to be used is called adhider, a tool that is written by Jin Woolly to build a hidden user specifically. The disadvantage of this tool is that when the server is restarted, the user will not be able to hide it, which is displayed in user management.
Use the following: Adhider User name password
such as: Adhider n3tl04d$\123456
As shown in Figure 11.

Figure 11
Once the creation is successful, you can use the
n3tl04d$\123456 login, get and admin privileges.

7. Using Clone clones

Clone is a 28 degree ice written by a cloning tool that only supports windows2003 and Windows XP and does not support Windows2000. The disadvantage of this tool is that when the server is restarted, the user will not be able to hide it, which is displayed in user management.
Use the following: Clone.exe User name password
such as: Clone n3tl04d 520mm
As shown in Figure 12.

Figure 12

You can use the n3tl04d\520mm login to get and administrator privileges.

Note: If you use the Mt check after using clone clone under Windows 2003, you will be prompted to have no system privileges, you may need to reboot your computer, or run a cmd with system privileges to use MT inspection.

Current 1/2 page 12 Next read the full text

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.